Wrongdoers have hacked into tens of thousands of British Airways' frequent flyer accounts, however the travel giant claimed on Sunday that no personal information had been swiped.
Some customers, who are members of BA's Executive Club, have complained on message forums that their accounts had been breached and claimed that their Avios reward points had been ransacked.
The hack attack was apparently due to a third party using information slurped elsewhere online.
It comes after The Register reported last week that security researchers had uncovered a basic flaw that appeared to allow anyone to steal email and home address information, trip data, and spend points of Hilton Worldwide "HHonors" loyalty club members.
British Airways sporadically responded to tweets from concerned customers. In one such exchange it said:
We’re sorry for any concern. We’ve become aware of some unauthorised activity in relation to your account and have frozen your Avios as a precaution. We’ll be sending you more details via an email.
Security expert Graham Cluley appeared to have a copy of one such email message sent out to worried folk who have frequent flyer accounts with the airline.
BA purportedly said that frequent flyer customers had been targeted by hackers using "login information relating to a different online service which you may have also used to access your Executive Club account."
The company, in a frankly flimsy effort to reassure its customers, apparently added:
At this stage, we are not aware of any access to any subsequent information pages within your account, including your flight history or payment card details.
Vulture Weekend sought comment from British Airways. We wanted to know if the airline had turned itself in to the UK's Information Commissioner's Office following confirmation that its system had suffered a data breach.
A spokesman said: "We are sorry for the concern and inconvenience this matter has caused and would like to reassure customers that we are taking this incident seriously and have taken a number of steps to lock down accounts so they can no longer be accessed."
It declined to respond to our question about Blighty's data watchdog, however. ®